This week we’re joined by Grady Summers, CTO of FireEye, former CISO of General Electric, and my former boss. During our conversation, Grady discusses his rise through the ranks at one of the largest companies in the world and his decision to leave GE behind to join Mandiant. He talks about FireEye’s place in history and some of the unique challenges they face. We also discuss buzzword solutions and which products he thinks are overblown and which ones show real promise.

Sergio chose to support the Love and Grace Haiti with his appearance. These funds will go to support the care and education of 25 Haitian kids.

If you like what you hear, I’d sincerely appreciate you subscribing, “liking”, or giving a positive review of the podcast on whatever platform you use. If you like what you hear, make sure to let Grady know by tweeting at him @GradyS. As always, I love hearing your feedback as well and you can reach me @chrissanders88.

Cliff discovers the attacker attempting to find a pathway into the CIA system by querying the Milnet NIC. He doesn’t find any computers, but he does find the names of four people. Cliff calls these people and finally gets in touch with someone to let him know that the attacker was searching for a CIA computer. The CIA take interest and send someone out the following Monday.

Cliff presents his findings to the CIA, including an agent named Teejay. He learns that DOCKMASTER isn’t a Navy shipyard, but actually an unclassified NSA system. The CIA lets Cliff know they can’t do much and it’s up to the FBI to pursue it. Teejay tells Cliff to keep monitoring and keep him informed regardless. He also shares a story about the zero trust model used at the CIA and a time when an insider intercepted agent data. He was caught when a secretary noticed the last login time on her terminal was something unexpected.

Most Security Practitioners are Choice Architects

The story Teejary shared about the CIA is interesting because of how they caught it. A secretary who was on vacation came back and logged in to her terminal. When a user there logs in they see the output of the last successful login they made. The secretary noticed her last login occurred while she was on vacation and she notified someone, which began the investigation that caught the inside attacker. The last login message is a trigger for a choice, and the people who implemented it are choice architects. All security people are, to some degree, choice architects.

The concept of libertarian paternalism (note: the term libertarian has nothing to do with politics) poses that it is possible and legitimate for someone to affect behavior while also respecting the freedom of choice. We have the ability to allow users to make their own choices while also “nudging” them towards choices that are in their best security interest. This is why default options exist, for example.

In class, we went through several examples of choice architecture that are less than desirable including Facebook’s implementation of “Last Login”, how Word/Excel notify users about macros, and Outlook’s user experience for opening attachment.

The attacker logs back in and finds a password to the Livermore lab network. This lab does secret research and those computers are supposed to be isolated. They have unclassified computers connected to the network, however. Cliff discovers this when he observes the attacker log into the LBL lab from Livermore. He wasn’t aware that was even possible, but as attackers often do, a new pathway was discovered.

That attacker breaks into the MIT network from LBL. Cliff calls the network operator and discovers this was likely possible because a scientist who accessed Livermore’s computers also accessed MIT computers, and probably left his password laying around.

Network Architecture, Zero-Trust Networks, Beyond Corp, and Air Gaps

A network should be built with defensibility in mind. This means building a network assuming you will be attacked, and assuming at least some of those attacks will be successful. I discussed the components of a defensible network as defined by Richard Bejtlich. A defensible network must be: monitored, inventories, controlled, claimed, minimized, assessed, and current.

Traditional networks are perimeter focused. Many call this the M&M model with a crunch external shell and a soft interior. Things inside the network are trusted, things outside are not. However, the perimeter has shifted over time thanks to the heavy usage of cloud apps for critical services, the needs of remote or WFH employees, and bring your own device (BYOD).

Many people are now looking to Zero Trust Network models like Google’s BeyondCorp. When you plug into a ZT network, you aren’t automatically afforded any trust. You have to gain trust through multiple factors. Your system has to authenticate via a certificate, the user has to authenticate in two ways, the user has to be enrolled in the proper job classification, and more. All assets are available over the Internet. There’s no VPN to access things anymore or single points of trust assessment, it a combination of multiple rules and trust evaluations going on all the time. This is an oversimplification, but it changes how you might think of a traditional perimeter network.

Air-gapped networks are those that are theoretically physically disconnected from public Internet-touching networks. I say theoretically because in practice many of them aren’t. Someone once said that an air-gapped network is really just a high latency network.

Research BeyondCorp and examples of real-world deployments outside Google. What were the challenges faced?

Cliff discusses the attack with friends and draws a link between some of the attacker activity. The passwords he’s chosen…jaeger and hunter are german. Benson and hedges are also German — a specific brand of cigarettes.

The attacker breaks into an ELXSI super computer at LBL by guessing a password to a default SYSTEM level account. Cliff discovers this and writes a program to slow the computer down to a crawl when the attacker dials into it. This is to not give away that the attacker has been discovered.

Cliff strengthens his monitoring system by purchasing a pager to notify him when a compromised account logs in. This keeps him from sleeping at the office.

Cliff calls the DOE about the Livermore break in. They tell him to keep it quiet, but to call the National Computer Security Center, which operates out of the NSA. The NCSC is receptive, but can’t do anything about it.

Cliff does some legal research and discovers a warrant isn’t legally required to do a phone trace (USCA SS 3121). He looks over his notes and realizes he wrote down all the numbers the VA telco operator said during the trace. There are only a few available permutations, so he social engineers the operator and has her check the registered owner of all of them, claiming he was erroneously charged for calls to these numbers. Only one is active, and it points to MITRE, a defense contractor in McClean, VA.

He calls the VA Telco and asks them if they could confirm the number he found on his own. They aren’t supposed to do that, but they do it anyway. This is essentially a form of social engineering by getting someone to confirm a piece of information rather than just asking them for it.

Social Engineering

Cliff used social engineering to extract information that he needed to further his investigation. Social engineering in security is an act that influences a person to take an action that may or may not be in their best interest. It usually takes the form of phishing (e-mail), vishing (phone), or impersonation (e-mail, phone, or in person). The human plays a significant role in many breaches. The success rate of external pen tests with humans out of scope is often fairly low (<20%). With humans in scope, it is usually near or at 100%.

In class we examined a few different SE scenarios and debated which types of scenarios would be most effective. We discussed Maslow’s Hierarchy of Needs and how attackers will leverage primary and secondary needs to illicit action, supress action, reveal information, or change information.

Experiment with BeEf to get a sense of what control an attacker has simply by getting you to visit a link.

He speaks to a network operator at MITRE who says that it is impossible his network is hacked. He agrees to put a trace on the line and wait for Cliff to call him the next time the attacker logs in. This would validate the connection.

Questions to Consider

Are Zero Trust Networks inevitable for all modern networks?

Why or why not?

What current challenges exist for specific types of networks (see below) to move towards a ZT/BeyondCorp model?

I didn’t know when I was growing up in rural western Kentucky that just by virtue of living where I did that I was disadvantaged. I grew up poor, but so did all my friends and as rough as I had it, I knew people who had it worse. The fact is that people growing up in rural areas are significantly more likely to be unemployed, live in poverty, become disabled due to poor health, and die early. I didn’t know that all these things were working against me.

At a young age, I was introduced to computers. This initial spark of interest led me to write software, learn how to connect computers into networks, and use technology to enrich my life and the lives of those around me. A few teachers recognized my interest and helped me turn that spark into a sustained interest that eventually led to a college degree and a career in computer technology. The fate that I seem predestined for was not to be, and it was because of that initial spark and the opportunity to pursue it. Sadly, this spark is too often missed or never cultivated.

I started the RTF to introduce other young people to technology so that it could change their lives in the same way it changed mine. So far, we’ve been able to do that with great success. In 2017 alone, we’ve been able to introduce just over 28,000 rural students to technology careers by equipping their schools with things like Chromebooks, Raspberry Pi’s, Robotics Kits, 3D Printers, and more. While our progress this year has been tremendous, we’ve got more work to do.

We want to reach 30,000 students in 2017 and 100,000 total students within the next two years. These are massive goals and represent tremendous impact. Our goal is to introduce students to the potential of technology careers so that we can help end the generational poverty that has defined their lives. Through this, we hope to bring greater economic impact to rural areas and help decrease the massively unequal distribution of wealth between rural areas and their urban counterparts.

We need your help to reach this goal. The month of December is our most important month for fundraising as it helps us meet our year-end goals and begin the new year with momentum. If we’re going to reach 100,000 students we need your contribution. With this, you have our guarantee that 100% of your donation will go straight to the classroom. We are an entirely volunteer-led organization, which means we pay no salaries. Your donation will have direct, tangible impact.

There are several ways to help:

One Time Donation: A one time gift can be made via check or PayPal. A PayPal account is not required to make an online gift. You can do so here: http://ruraltechfund.org/donate/.

Recurring Donation: A recurring gift helps us better plan our charitable work. As a part of contributing to our Patreon, you’ll get exclusive updates about work we’re doing in classrooms all over the country. You do so here: https://www.patreon.com/rtf.

Amazon Smile: As you’re doing your holiday shopping considering doing so through Amazon Smile. When you select the RTF as your charity of choice, Amazon will contribute a portion of your purchase price directly to us.

The Rural Technology Fund is a 501(c)(3) organization, which means your donations are tax deductible.

I didn’t know what I had working against me when I was growing up in a rural area. Now I know, and we’re working to change the future for kids like me. I hope you’ll join us. We can’t do it without your help.

Cliff observes the attacker logging in again via the Sventek account. Sventek uses Kermit to copy a file over. The file is an application that solicits users to enter their password before redirecting them back to a legitimate application. The purpose of the tool is clearly to steal user passwords, but the attacker fails at deploying it successfully and it never executes.

Realities of Password Theft

We use this opportunity to talk about password theft and the dramatic impact it can have. I posed the question to the group, which of these is worse?

An attacker having root privileges on a single system without a clear text user password?

An attacker having user privileges no a single system with a clear text user password?

Of course, the answer is “it depends.” The nightmare scenario for prevention and detection is an attacker with clear text credentials for a user with great power.

I highlighted four realities of password theft:

If I can authenticate to a machine as you, the machine gives me the privileges assigned to you.

An attacker doesn’t have to attack vulnerabilities in software if they have legitimate credentials.

An attacker who can access a network with legitimate credentials will almost always do so.

Many long-term attacks involve the use of legitimate credentials.

It’s also important to keep in mind that a user account is not equivalent to a user, it only represents them. An attacker can authenticate as a user, but can never be that user. It is that distinction that we must leverage to detect and prevent attackers who would seek to impersonate.

Clear Text Password Theft

Clear text passwords primarily exist in three places: the user’s head, in transit on the network, in limited places on the operating system. There are techniques attackers can use to steal passwords from all three locations. I performed a demo of each one of these attacks.

Harvesting from the Human: We used the Social Engineering Toolkit to replicate legitimate sites. These are delivered to the victim via some form of social engineering (like a phishing e-mail). The attacker inputs their password, which is covertly sent to the attacker.

Harvesting from the Network: Some protocols perform submission of credentials over clear text. Anyone with a packet sniffer in the right location can intercept these credentials. I demonstrated extracting web application credentials that were transmitted over HTTP.

Harvesting from the OS: While passwords most often exist as file hashes on the local system, there are methods that can be used to extract their clear text representation. One of the most common techniques on Windows systems is the use Mimikatz to take advantage of the LSASS process. I demonstrated the execution of Mimikatz on a Windows 7 system.

Level 1: Download the Social Engineering Toolkit and use the credential collection feature that will clone an existing website. Consider how you might compose a phishing e-mail that tricks a victim to inputting their credentials (don’t actually send it)

Level 2: Perform a packet capture while browsing to applications you authenticate to on a regular basis. Assess whether your credentials are submitted in the clear, or over an encrypted channel.

Sandy, a colleague of Cliff finds a computer lab in the library setup to auto-dial Tymnet when students login. It seems logical that an internal attacker (like a student) might be using these terminals to attack the network. Cliff and Sandy work with local law enforcement to post someone in the lab. Cliff monitors for the next time the attacker logs in and calls the lab. Unfortunately, nobody is logged into any of the terminals. The theory that the attacker was coming from the lab is debunked.

Insider vs. Outsider Threat

We briefly discussed the source of threats. The insider threat has potential to be much more damaging and hard to detect. However, the hype surrounding insider threat is dramatically overblown. Insider threat accounts for an incredibly small percentage of actual breaches.

Cliff begins going through his attacker logs in more depth. He eventually discovers more compromised accounts. A portion of the attacker’s tradecraft is revealed. The attacker will search for old, unused accounts and edit the password file to reactivate them. The attacker would also clear their password so it could be reset, making the accounts perfectly suitable for use again. This was all made possible by the same emacs bug.

Password Hash Theft

In most places, passwords are stored as hashes rather than in clear text. A hash is a one-way cryptographic function that creates a representation of a password. This is used by the operating system for authentication and storage because it’s more secure than keeping the plaintext password in multiple places. While a password hash is less valuable than a clear text password, it can still be leveraged by attackers to gain access.

I discussed two techniques relating to password hashes.

Password Cracking: An attacker who desires the clear text password associated with a user can attempt to crack the password. I used John the Ripper to demonstrate this process.

Pass the Hash: Sometimes, all you need is the hash. I discussed the Pass the Hash toolkit and how an attacker could use this to gain access as the user whose password hash they’ve stolen.

Level 1: Create a user account on a Windows system. Extract the hash and use John to attempt to crack the password.

Level 2: Increase the complexity of the password minimally, and perform the same task again. Keep increasing the complexity and take note of how much longer it takes to crack the password.

Cliff observes the attacker using the LBL connection to connect to White Sands Missile Range (WSMR). The attacker fails to get in. Cliff notifies the FBI of what he’s seen, but they don’t care enough to investigate it. He also notifies the AF OSI. They start looking into it but don’t provide any immediate significant response.

The next time the attacker dials in, Cliff initiates another trace. The local phone company traces it to a telco in Virginia who is able to trace it to the next hop. Unfortunately, they can’t share the results with Cliff. The telco works with the police, not individuals. Furthermore, that would require a warrant in Virginia and Cliff’s warrant is only good for California. For now, Cliff’s stuck.

Critical Question(s)

Should this crime have warranted closer inspection by the FBI?

Why or why not?

How do you determine the threshold for a crime worthy of investigation? Think about this from a macro (FBI) and micro (your company) scale. What is worth the expenditure of resources to pursue?

Sometimes you only need one name. Prince, Madonna, Oprah….and Sergio. This week I’m thrilled to be joined by my good friend Sergio Caltagirone. We talked about the importance of ICS security, control system themed road trips, and the intersection of information security and philosophy. Sergio takes us through his journey from the Department of Defense, Microsoft and at Dragos. We also get the story of how the Diamond model came into existence. Perhaps most importantly, we talk about his work to fight human trafficking and how he is applying data science to this problem at the Global Emancipation Network.

Sergio chose to support the Rural Technology Fund with his appearance (I promise I didn’t coerce him). These funds will go to rural public school classrooms to introduce more kids to computer science.

If you like what you hear, I’d sincerely appreciate you subscribing, “liking”, or giving a positive review of the podcast on whatever platform you use. If you like what you hear, make sure to let Sergio know by tweeting at him @cnoanalysis. As always, I love hearing your feedback as well and you can reach me @chrissanders88.

Stay Updated!

I use my mailing list to send out exclusive content, training discounts, and it's the best way to stay up to date on new classes I conduct on topics like network security monitoring, packet analysis, technical writing, and more.

* indicates required

Email Address *

First Name

Last Name

Applied Network Security Monitoring

Applied Network Security Monitoring is the essential guide to becoming an NSM analyst from the ground up. This book takes a fundamental approach, complete with real-world examples that teach you the key concepts of NSM.

Practical Packet Analysis

It's easy to capture packets with Wireshark, the world's most popular network sniffer, whether off the wire or from the air. But how do you use those packets to understand what's happening on your network? This extensively revised second edition of the best-selling Practical Packet Analysis will teach you how to make sense of your PCAP data.

100% of the author royalties for sales of Practical Packet Analysis go to support the Rural Technology Fund

Rural Technology Fund

Established in 2008, the Rural Technology Fund (RTF) seeks to reduce the digital divide between rural communities and their more urban and suburban counterparts. This is done through targeted scholarship programs, community involvement, and the general promotion and advocacy of technology in rural areas.